search

NuGet / NuGetGallery

NuGet Gallery is a package repository that powers https://www.nuget.org. Use this repo for reporting NuGet.org issues.
https://www.nuget.org/
Apache License 2.0
1.52k stars 643 forks source link

[Feature]: Warn when packages include/reference < .NETStandard2.0 #9984

Open JonDouglas opened 3 weeks ago

JonDouglas commented 3 weeks ago

Related Problem

https://github.com/dotnet/designs/pull/317

The Elevator Pitch

We should provide a warning when a package author uploads a package targeting an old version of .NETStandard to help push the ecosystem forward based on guidance from a 2020 blog:

https://devblogs.microsoft.com/dotnet/the-future-of-net-standard/

TL;DR We should use the README, CVE, LICENSE warning infrastructure to detect < .NETStandard2.0 and warn package authors to consider upgrading.

Here is some preliminary data to support this(based on https://github.com/dotnet/designs/pull/317#issuecomment-2136010995):

For what it is worth, .NETStandard 1.x is < 2%(all versions combined) of assemblies on NuGet.org. .NETStandard 2.0 is ~23% and .NETStandard 2.1 is ~2%. Just a quick query, but hopefully helps in this conversation.

In addition, people can use NuGet.org's newish Search by TFM feature to help find specific packages w/ those assets.

.NET Standard 1.X:

image

.NET Standard 2.0:

image

.NET Standard 2.1:

image

Additional Context and Details

No response

terrajobst commented 3 weeks ago

Thanks for getting this item filed!

A couple of questions:

  1. When does the warning appear? Is it during nuget push, nuget restore, or dotnet build (when GeneratePackageOnBuild is true).
  2. Can the warning be suppressed?
  3. Do we warn for a package that contains only netstandard1x or also for package that target other frameworks?
erdembayar commented 3 weeks ago

@JonDouglas

I think this proposal is related to design spec https://github.com/NuGet/Engineering/pull/5431 Could you please confirm?

JonDouglas commented 3 weeks ago

Thanks for getting this item filed!

A couple of questions:

  1. When does the warning appear? Is it during nuget push, nuget restore, or dotnet build (when GeneratePackageOnBuild is true).
  2. Can the warning be suppressed?
  3. Do we warn for a package that contains only netstandard1x or also for package that target other frameworks?

  1. This is a registry side warning. It appears on upload before publishing as a verify step:

    image

  2. No it cannot as it is just an info banner.

  3. We would just warn if we detect any asset in the proposed netstandard1x

@erdembayar No this is not the same. This is a separate thing that builds upon the collection of experiences we are bringing to verify.

erdembayar commented 5 days ago

Team triage : If it command line error/warning it might break CI pipeline, probably we need option to turn off it.